[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: GSSAPI, OpenLDAP 2.0.21 and core dump
At 04:03 PM 01/30/2002 -0800, hyc@highlandsun.com wrote:
What part of
>> ldap_start_tls: Connect error
>> additional info: error:24064064:random number
>> generator:SSLEAY_RAND_BYTES:PRNG not seeded
leads you to the conclusion that this has something to do with
certificates?
What makes you think this has anything to do with anything other than,
perhaps,
not seeding your random number generator?
Just the part of:
*****
# ./run_slapd debug 1
@(#) $OpenLDAP: slapd 2.0.21-Release (Wed Jan 30 14:11:15 PST 2002) $
@web.georgefox.edu:/export/ldap/openldap-2.0.21/servers/slapd
... SNIP ...
connection_read(9): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
connection_read(9): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=9 for close
connection_close: conn=0 sd=9
*****
This sounded suspiciously (to this ignorant OpenSSL person) as a problem
with the "client certificate A", especially since it works perfectly with
Netscape.
Also, this error message is clearly coming from SSLeay and/or OpenSSL, but
you
neglected to mention either in your email. Seems a rather significant
detail to
be omitting. Especially since the Kerberos and/or SASL libraries may have
been
built on top of the OpenSSL crypto library. (I have no idea, you didn't
say.
But that would be a good reason why an unintialized SSL random number
generator
is preventing your Kerberos login from working.)
Actually, I did mention the name of the manual I am using, "OpenLDAP,
OpenSSL, SASL and KerberosV HOWTO".
When you REALLY need something to work, the first thing you REALLY need to
do
is Read The Documentation. In your case, you REALLY need to read the "FAQ"
file
that is included in the OpenSSL source, especially the section that starts
"Why
do I get a ``PRNG not seeded'' error message?"
Thank you for the pointer. I will look at this tomorrow. In the mean time,
does anyone know if this is the cause of the core dump (the show-stopper I
have been working on)? As I said earlier, the encryption on the link is
currently not the show-stopper. What I REALLY need is help with the
Kerberos integration (since I have been working on this problem for 2 weeks
and browsed through several hundred archived emails, FAQ and manuals). I
have been working with documentation that appears to assume you know all
the commands and configurations before you start.
Again, any help appreciated in advance,
Tony
******************************************************************************
* Anthony Brock abrock@georgefox.edu *
* Director of Network Services George Fox University *
******************************************************************************